7 Developing Detections Using Behavioral Indicators

In the previous chapter, we took our first look at building detections. Specifically, we used indicators of compromise (IoCs) to detect known malicious artifacts from threat intelligence. In this chapter, we are instead going to focus on how we can create more robust detections by focusing on the adversary’s tools and behaviors.

First, we’ll look at how we can detect a threat actor based on the tools they use. This will involve a lab where we identify what PsExec usage looks like from a detection engineering perspective. Then, we’ll move on to focus on specific tactics, techniques, and procedures (TTPs) and how we can take a specific technique and identify associated evidence that can be used ...

Get Practical Threat Detection Engineering now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Practical Threat Detection Engineering by Megan Roddie, Jason Deyalsingh, Gary J. Katz

7

Developing Detections Using Behavioral Indicators

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly